User with itil role not to modify CI

Giri6 · ‎05-14-2020

I find any user with itil role is able to modify existing configuraiton items(CI). But I see itil role has nested role cmdb_read only not write. Not sure any other nested rule is giving update access. If I need to take away modifying CIs, what is the way? Appreciate it.

Jaspal Singh · ‎05-14-2020

Hi Giri,

Did you check for ACL of type write on CI (configuration item) table?

View solution in original post

Jaspal Singh · ‎05-14-2020

Hi Giri,

Did you check for ACL of type write on CI (configuration item) table?

Ct111 · ‎05-14-2020

itil role has access because they (techinician or the person who is working on incident) need to select appropriate CI incase user of the incident selects wrong CI while submitting the incident.

if you want to understand which all fields are editable by itil have a look at incident table ACL's with read and write

Pradeep Sharma · ‎05-14-2020

Hello Giri,

Check for existing WRITE ACL's and ensure the ITIL role is not in the list. Alternatively you can disable the existing one and create a new write ACL and grant the access to the required roles per your requirement.

- Pradeep Sharma

Giri6 · ‎05-14-2020

Thanks for the replies. It is fine to select CI by anyone. I am only talking about the ability to update/create anything in CMDB not to give to anybody with itil role.

I went to acl and searched for name cmdb_ci and operation write and found 3. I deactivated one that has itil role. Now I verified that one with ITIL role can't edit.

I am assuming cmdb_ci is base table and lot of others extend this. If I disable write on base, does it automatically disables for all child tables as well?

Thanks for all the help.